[VoT] Foundational questions of principle

[swilson@lockstep.com.au]

 
First, to introduce myself, I am an identity and privacy researcher, analyst and consultant.  I've been involved in this since 1995, when I cut my teeth in PKI and smartcards (with the early companies that became Baltimore Technologies). Since then I've worked on identity management frameworks, regulations and standards.  
 
I subscribe to the old Italian proverb: "it's nice to trust but better not to".  Words matter and I wonder if we shouldn't be using the word trust so much.  
 
More pragmatically, I note the very strong "Attributes" push of the past 18 months.  Andrew Nash, Anil John, myself and others have written about this.  The FIDO Alliance is all about authentication and attributes, and they purposefully leave "identity" as a matter for others to work out further up the stack. The OID Foundation is promoting an Attributes Exchange Network "AXN" architecture.  New entrants like id.me (an NSTIC pilot participant) talk about attributes and avoid "identity". 
 
I mention all of this as a prelude to suggest that "vector of trust" is synonymous with "attribute". I wonder if it would be clearer to use plain and current language rather than carry forward the fuzzy and I think overly ambitious idea of "trust"? 
 
Finally, I'd like to throw in my abiding concern that LOAs have foundered simply because it's difficult to pigeonhole risk. One party's idea of "medium" risk for instance will rarely map precisely to another's. I think people have been misled into thinking that an "LOA 3" identity should be be able to be used on its face (i.e. will "interoperate") at any "LOA 3" RP. Risk management is not so simple. 
 
The LOA paradigm borrows from Risk Management standards like ISO 31000 which organisations use to plot their own risks internally typically on a five scale (eg Negligible / Low / Medium / High / Grave). But risk management standards require that each organisation calibrates risk in its own business context and according to its own risk appetite. The risk of a firewall breach for example at a startup social media company will be assessed differently by a big listed healthcare company. So organisation A can say the risk of event X is Low but B can say the risk of the same event is Medium.  As a result, LOAs do not inter-operate. They are based on standards meant for intra-organisation risk management, not inter-organisation communication of risk assessments. 
 
So far with VoT we are adding more dimensions to the RPs' generic risk management decision making, and that's great.  But we are still pigeonholing the dimensions.
 
I'm afraid the reality is that risk management will always be done locally.  And so it should be.  When an RP is making the decision to accept or reject a given subject, they will evaluate a range of attributes or signals.  The set of attributes that matters varies from one RP to the next.  I think it's a great idea indeed to create guidance for evaluating attributes, and to coach RPs to look at all sorts of dimensions.  I just don't think it helps anyone to pigeonhole the risk ratings, because across organisations, arguments about the boundaries between LOA 1/2/3/4 (that is, policy mapping) will undo any efficiencies gained from the categorization.  
 
Cheers, 
 
Steve.
 
 
Stephen Wilson
Managing Director
Lockstep Group
http://lockstep.com.au
Lockstep Consulting provides independent specialist advice and analysis 
on digital identity and privacy. Lockstep Technologies develops unique 
new smart ID solutions that enhance privacy and prevent identity theft.